Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Guida di Installazione Scaricare il pdf (Pagina 169)

Chapter 14. Firewalling with iptables 169

14.3. Options Used in iptables Commands

Rules that allow packets to be ﬁltered by the kernel are put into place by running the iptables

command with a number of options after it that identify the types of packets being ﬁltered, the source

or destination of those packets, and what to do with the packet if it matches the rule. The options used

with a particular iptables rule must be grouped logically, based on the purpose and conditions of

the overall rule, in order for the rule to be valid.

14.3.1. Tables

A powerful aspect of iptables is that multiple tables can be used to decide the fate of a partic-

ular packet, depending upon the type of packet being monitored and what is to be done with the

packet. Thanks to the extensible nature of iptables, specialized tables can be created and stored

in the /etc/modules/

kernel-version /kernel/net/ipv4/netfilter/ directory to meet

special goals. Think of iptables as being able to run multiple sets of ipchains rules in deﬁned

chains, with each set fulﬁlling a particular role.

The default table, named filter, contains the standard built-in INPUT, OUTPUT, and FORWARD

chains. This is somewhat similar to the standard chains in use with ipchains. However, by default,

iptables also includes two additional tables that perform speciﬁc packet ﬁltering jobs. The nat

table can be used to modify the source and destination addresses recorded in packets, and the mangle

table allows you to alter packets in specialized ways.

Each table contains default chains that perform necessary tasks based on the purpose of the table, but

you can easily set up new chains in each of the tables.

14.3.2. Structure

Many iptables commands have the following structure:

iptables [-t

table-name ] command chain-name parameter-1 \

option-1 parameter-n option-n

In this example, the table-name option allows the user to select a table other than the default

filter table to use with the command. The

command option is the center of the command, dictat-

ing a speciﬁc action to perform, such as appending or deleting a rule from a particular chain, which is

speciﬁed by the chain-name option. Following the chain-name are pairs of parameters and

options that actually deﬁne the way the rule will work and what will happen when a packet matches

the rule.

When looking at the structure of an iptables command, it is important to remember that, unlike

most other commands, the length and complexity of an iptables command can change based on

its purpose. A simple command to remove a rule from a chain can be very short, while a command

designed to ﬁlter packets from a particular subnet using a variety of speciﬁc parameters and options

can be rather lengthy. One way to think about iptables commands is to recognize that some param-

eters and options used may create the need to use other parameters and options to further specify the

previous option’s request. In order to construct a valid rule, this must continue until every parameter

and option that requires another set of options is satisﬁed.

Type iptables -h to see a comprehensive list of iptables command structures.

14.3.3. Commands

Commands tell iptables to perform a speciﬁc action, and only one command is allowed per ipt-

ables command string. Except for the help command, all commands are written in upper-case char-

acters.

1 2 ... 164 165 166 167 168 169 170 171 172 173 174 ... 281 282

Commenti su questo manuale

Nessun commento

Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Guida di Installazione Pagina 169

Commenti su questo manuale

Prodotti e manuali riguardandi Software di system management Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE